A friend recently sent me an email that warned me that I had my phone numbers on the bottom of my email signature - she was worried for me because "you can't be too careful with all the identity theft going on". And, while I've yet to really think of a threat scenario where someone knowing my Skype-In number could cause the compromise of my NPPI, I knew I had to reflect on ID theft for a minute.
And then I read this post over at Sunnet Beskerming about a recent major ID breach. From the post:
"Continuing a trend of employees stealing valuable data, an employee at a Fidelity National Information Services subsidiary at some time prior to May 2007 stole more than 2 million records that contained a range of personal, financial account, and credit card data for users of Fidelity services."
With all the people who worry about technical ID theft (like the TJX breach), I think that this type of theft is likely far more prevalent. It reminds me of an article that Schneier wrote a few years ago in Dr. Dobbs on Attack Trees. It was a relatively overcomplexificated article for a really simple theme:
Intelligent and rational attackers will always use the lowest cost, least complex attack vector.
Thus, if you're trying to steal data, and you have two choices: 1) Do a major Sneakers-level social engineering attack, or; 2) just pay the insider a few hundred bucks; a decent attacker will always pay the few hundred bucks.
The technical attack is always cool, but it's the simple attack that takes the day almost every time.